6/28 - OTI and Public Knowledge FCC Petition for Rulemaking on Privacy, Cybersecurity Consumer Protections for 5.9 GHz Band

On June 28, OTI and Public Knowledge filed a petition for rulemaking on privacy, cybersecurity, and consumer protections for the 5.9 GHz band.

Summary

In 1999, the Commission authorized an allocation of 75 MHz for “Dedicated Short-Range Communication” (“DSRC”)4 Envisioned as part of a broader “Intelligent Transportation Service” network that paralleled the emerging public Internet, the auto industry and the Department of Transportation urged the FCC to adopt DSRC rules that enabled both non-commercial life and safety applications, and commercial applications such as mobile payments to gas stations, remote management of rental cars, and other undetermined commercial services.

Unfortunately, the Commission did not at that time consider the implications of DSRC either for privacy or cybersecurity. The ability of DSRC units to monitor and report detailed personal information about location and driving habits of individuals raise enormous concerns for personal privacy. When coupled with storage of financial information and purchasing information through future mobile payment applications, or the use of DSRC streaming capability for delivering advertising or entertainment, personal privacy grows exponentially.

Far more troubling, however, is the way in which the failure to impose adequate cybersecurity obligations on DSRC licensees and operators threatens the safety of our national roadways. Over the last year, a number of high-profile hacking incidents have highlighted the extraordinary vulnerability of cars to cyberattacks. Hackers have demonstrated the ability to seize control of braking, steering, and acceleration functions, which would allow a hacker to remotely crash vehicles. One report from Intel chronicled 14 different ways a hacker can gain access to a car’s operating system. In March 2016, the Federal Bureau of Investigation (“FBI”) and the Department of Transportation (“DoT”) issued a joint Public Service Announcement warning car owners about the increasing vulnerability of their cars to “remote exploits” (i.e., cyberattacks).

Even more troubling, Congressional reports have concluded that the car industry lacks the capacity or the culture to respond effectively to these threats. Markey Report found, the culture of the car industry encourages bad behavior on privacy, lax cybersecurity, discourages auto manufacturers from publicizing and sharing information on potential vulnerabilities, and erects barriers to the ability of auto manufacturers to push out timely cybersecurity updates.

To date, the one thing that has prevented cyberterrorists from creating a “car zombie apocalypse” by infecting thousands of cars with malware designed to crash them into crowds or one another has been the inability of cars to communicate with each other. As one expert explained:

“They haven’t been able to weaponize it. They haven’t been able to package it yet so that it’s easily exploitable,” said John Ellis, a former global technologist fo Ford. “You can do it on a one-car basis. You can’t yet do it on a 100,000-car basis.”

DSRC provides precisely this capability to “weaponize” the vulnerability of cars through vehicle-to-vehicle communication (“V2V”). DSRC depends on high-speed, low-latency communication between vehicles, and must be linked directly to critical functions like acceleration, braking, and steering, in order to facilitate the supposed benefits to life and safety brought about by DSRC. DSRC units provide an access route for malware to spread directly from car to car, enabling hackers to steal the personal information of drivers and leaving cars open to “ransomware” or coordinated terrorist attack. When combined with the impending NHTSA mandate to require that all new model cars have DSRC units installed, the number of cars capable of spreading malware will grow exponentially over time. Only by acting now, before the auto industry can deploy any DSRC units, can the Commission adequately protect the public.